On Thu, Oct 05, 2017 at 02:14:57PM -0400, Steve Weeks wrote:
The problem is definitely in sss_pam. From the logs, it sounds like it can't get the certificate from the server.
p11_child works the same on both Fedora 25 and Ubuntu 16.04 in both pre-auth and auth mode. To run in auth mode, change the command line to:
echo PIN | /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb --auth --pin
Running from the command line, both Fedora and Ubuntu return the same results in either mode.
On Ubuntu running a real login, auth mode is never called. The sssd_pam.log files are different. I've attached the full logs, but this is what seems to be the problem.
Fedora, which works fine:
[sss_dp_issue_request] (0x0400): Issuing request for [0x55e4aeaaa710:8:MIIHdjCCBV6gAwIBAgIT.. [sss_dp_get_account_msg] (0x0400): Creating request for [ipa.example.com][ *0x14][BE_REQ_BY_CERT*][1][cert=MIIHdjCCBV... [sss_dp_internal_get_send] (0x0400): Entering request [0x55e4aeaaa710:8:MIIHdjCCBV6gA....... [cache_req_cache_search] (0x0040): Cache Request [User by certificate #0]: Cannot find info for [CERT:S/kgorJq32@ipa.example.com] [child_sig_handler] (0x1000): Waiting for child [5701]. [child_sig_handler] (0x0100): child [5701] finished successfully. [sbus_remove_timeout] (0x2000): 0x55e4afa97210 [sbus_dispatch] (0x4000): dbus conn: 0x55e4afa9e7d0 [sbus_dispatch] (0x4000): Dispatching. [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success
The same sequence in Ubuntu has a different call parameter and seems to fail:
[sss_dp_issue_request] (0x0400): Issuing request for [0x410090:8:MIIHdjCCBV6... [sss_dp_get_account_msg] (0x0400): Creating request for [ipa.example.com][*0x1014][FAST BE_REQ_BY_CERT*][1][cert=MIIHdjCCBV6gAw... [sbus_add_timeout] (0x2000): 0xc46200 [sss_dp_internal_get_send] (0x0400): Entering request [0x410090:8:MIIHdjCCBV6g..... [child_sig_handler] (0x1000): Waiting for child [9758]. [child_sig_handler] (0x0100): child [9758] finished successfully. [sbus_remove_timeout] (0x2000): 0xc46200 [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0xc1a220 [sbus_dispatch] (0x4000): Dispatching. [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 0 error message: Account info lookup failed
Fedora is running sssd 1.14.2 and Ubuntu is running 1.13.4. The user is from an AD trust. Both systems are attached to the same IPA server.
How did you map the certificate to the AD users? Did you create an idoverride for the AD user and add the certificate to the override? Unfortunately this is only supported since sssd-1.14.
bye, Sumit
Is there some configuration change that will make the Ubuntu system behave like the Fedora system? I'd really like to use the standard Ubuntu distribution.
Thanks, Steve
On Fri, Sep 29, 2017 at 11:17 AM, Steve Weeks nbxsteve@gmail.com wrote:
That works, but it is only pre-auth mode. In --auth mode it fails, but I don't think that relevant since fails the same way on Fedora too.
The problems seems to be that on Ubuntu, --auth mode is never called. On Fedora p11_child is called twice. Once with --pre and then a second time with --auth. In the log you see:
$ egrep 'main|verified' p11_child.log (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x0400): p11_child started. (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x2000): Running in [pre-auth] mode. (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x2000): Running with effective IDs: [0][0]. (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x2000): Running with real IDs [0][0]. (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x0400): p11_child started. (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x2000): Running in [auth] mode. (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x2000): Running with effective IDs: [0][0]. (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x2000): Running with real IDs [0][0]. (Thu Sep 28 14:23:23 2017) [[sssd[p11_child[15378]]]] [do_work] (0x4000): Certificate verified and validated.
I've trimmed the log to what (I think) was interesting. I can send everything if you need it.
For Ubuntu, the log stops after the first invocation of p11_child and you never see the [auth] mode call. Otherwise the logs are the same.
Steve
On Fri, Sep 29, 2017 at 3:17 AM, Sumit Bose sbose@redhat.com wrote:
On Thu, Sep 28, 2017 at 02:35:55PM -0400, Steve Weeks wrote:
Progress, but still not using the smartcard and falling back to the password.
I changed to change the pam_sss line in common-auth too:
auth [default=1 success=ok] pam_localuser.so auth [success=2 default=ignore] pam_unix.so nullok_secure #auth [success=1 default=ignore] pam_sss.so use_first_pass auth sufficient pam_sss.so forward_pass
Now p11_child is called, but doesn't validate the certificate. On
Fedora
the final line in p11_child.log is "Ceritificate verified and
validated".
On Ubuntu that line is missing.
The root certificate is in the certdb. (certutil -d /etc/pki/nssdb -L).
Is there a way to do what p11_child does from the command line or with better logging so I can what it doesn't like? I have debug_level = 9 on everything at the moment.
/usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --pre
--nssdb=/etc/pki/nssdb
should do the trick.
HTH
bye, Sumit
Thanks, Steve
On Thu, Sep 28, 2017 at 12:43 PM, Sumit Bose sbose@redhat.com wrote:
On Thu, Sep 28, 2017 at 12:13:38PM -0400, Steve Weeks wrote:
In all cases on both system pam_unix comes before pam_sss. For
example
in
Fedora system-auth it is:
On recent Fedora systems you should have
auth [default=1 success=ok] pam_localuser.so
before the lines below. This will call pam_unix only for users from /etc/passwd and skip the line it otherwise (default=1). Maybe
something
like this would help on Ubuntu as well?
bye, Sumit
auth [success=done ignore=ignore default=die] pam_unix.so
nullok
try_first_pass auth requisite pam_succeed_if.so uid >= 1000
quiet_success
auth sufficient pam_sss.so forward_pass
and in Ubuntu common-auth it is:
auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_sss.so use_first_pass
I tried reversing the lines and get a pam error about user not know
(it
is
an AD user which works fine on fedora).
Also, it looks like pam_pkcs11.so is used in smartcard-auth on
Fedora.
Don't know if this is relevant or not.
Steve
On Thu, Sep 28, 2017 at 11:40 AM, Sumit Bose via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
> On Thu, Sep 28, 2017 at 11:29:27AM -0400, Steve Weeks via
FreeIPA-users
> wrote: > > We have smartcards (PIV) working just fine on Fedora 25 with
FreeIPA
> client > > version 4.4.4 (SSSD 1.14.2). However on Ubuntu 16.04, FreeIPA
client
> > 4.3.1, SSSD 1.13.4 the smartcard seems to be ignored. > > > > The smartcard is readable using pkcs11-tools and pkcs15-tools
on both
> > systems. > > > > On both systems sssd.conf contains: > > [pam] > > pam_cert_auth = True > > > > I've turned the sssd logging up to 9 on both systems and it
looks
like
> > p11_child is never called on the Ubuntu system. On the Ubuntu
system
> > p11_child.log is empty and there is no sign of it being started
in
the
> > sssd_pam.log. > > > > Any suggestions on what I should look at next? > > How does your PAM configuration looks like? You have to make sure
that
> pam_sss.so is the first module called for SSSD users. If pam_unix
comes
> first it will ask for a Password and pass it on to pam_sss.so
which
will
> try password authentication in this case. > > HTH > > bye, > Sumit > > > > > Thanks, > > Steve > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahost
ed.org
> > To unsubscribe send an email to freeipa-users-leave@lists. > fedorahosted.org > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahost
ed.org
> To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org
>